Bug 455374 - Deployment_Guide: update section 17.6. (bind mistakes) wrt RHSA-2008:0533
Deployment_Guide: update section 17.6. (bind mistakes) wrt RHSA-2008:0533
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: Deployment_Guide (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Martin Prpič
ecs-bugs
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-15 03:55 EDT by Tomas Hoger
Modified: 2016-06-17 17:09 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 12:10:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-15 03:55:43 EDT
Description of problem:
Murray McAllister notified us of the last common mistake in bind configuration
as described in section 17.6. of Deployment Guide:

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-bind-mistakes.html

With respect to current research in DNS security, such setting is insecure.  We
should add warning about it and discourage using of fixed source UDP port. 
Proposed text draft:

Note: Further research in DNS security showed that using fixed source UDP port
for DNS queries is a security threat allowing attacker to conduct cache
poisoning attacks. Because of that, bind name server was updated via
RHSA-2008:0533 [1] to use new randomly selected source port for each DNS query,
not only during daemon startup. Advice above can make DNS resolving work through
firewalls configured in such restrictive way, but it puts your DNS resolving at
risk. You should not configure named to use static source port, rather firewall
configuration need to be changed to allow queries from random UDP source port.

[1] https://rhn.redhat.com/errata/RHSA-2008-0533.html
Comment 1 RHEL Product and Program Management 2008-07-15 04:00:49 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 RHEL Product and Program Management 2008-10-27 14:21:11 EDT
This request was previously evaluated by Red Hat Product Management
for inclusion in the current Red Hat Enterprise Linux release, but
Red Hat was unable to resolve it in time.  This request will be
reviewed for a future Red Hat Enterprise Linux release.
Comment 6 Douglas Silas 2009-12-01 17:37:37 EST
Footnote URL correction provided courtesy of Murray: http://rhn.redhat.com/errata/RHSA-2008-0533.html

I've fixed this in the text.

Thanks!
Comment 8 Douglas Silas 2010-02-02 04:16:38 EST
Tomas,

I have expanded the text and changed the link to use HTTPS. What do you think of the following text:

committed -r 26260 DG5.5 branch; committed -r 26261 DG5.4 branch.

<SNIP>
Warning: Avoid Using Fixed UDP Source Ports
Recent research in DNS security has shown that using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to more easily conduct cache-poisoning attacks. Due to this security threat, Red Hat issued a security update[3] for all versions of Red Hat Enterprise Linux which updated the default sample caching-nameserver configuration files so that they do not specify a fixed query-source port, thus causing the BIND nameserver to use a new, randomly-selected source port for each DNS query by default. This method had previously only been used during named service startup.
DNS resolving is at risk whenever named is configured to use a static UDP source port. To avoid this risk, we recommend configuring your firewall to allow queries from a random UDP source port.
BIND administrators with existing configurations who wish to take advantage of randomized UDP source ports should check their configuration files to ensure that they have not specified fixed query-source ports.
</SNIP>

<FOOTNOTE [3]>
The security update was RHSA-2008:0533. [silas: the erratum ID is linked to https://rhn.redhat.com/errata/RHSA-2008-0533.html]
</FOOTNOTE>
Comment 9 Tomas Hoger 2010-02-02 04:41:14 EST
One correction related to RHSA-2008:0533 - the important part of that RHSA is an introduction of the code that cause bind to use random source port per query.  Before that update, it used fixed port, either randomly chosen at start-up, or one configured in the named.conf.

caching-nameserver correction was actually an update to that RHSA, as the fix was negated by the fact that the default config specified fixed source port.  So, IMO, this text should emphasize on the fact that RHSA introduced per-query random source port, but even that protection can be disabled if one configures static source port (which, IIRC, once was a recommended way to simplify firewall configs).  We did that by mistake, but no longer do.

I find this part little confusing:
  DNS resolving is at risk whenever named is configured to use a static UDP
  source port. To avoid this risk, we recommend configuring your firewall to
  allow queries from a random UDP source port.

You sure need both (random source port allowed in bind and firewall config).  If you only do bind part and firewall only allows particular source port (e.g. 53), DNS resolution would be broken and the issue spotted immediately.  So once random source port is used by bind (recommended), firewall must be configured in a way that does not block the communication.

HTH
Comment 10 Douglas Silas 2010-02-02 05:28:11 EST
Tomas,

You're very right: I confused the update to the issued erratum with the fix (severe brain lag).

I think the proper fix for this
Comment 11 Douglas Silas 2010-02-02 05:42:58 EST
(CCed Adam Tkac)

(cont'd from comment 10)
...the proper fix for this will be to remove the FAQ entry and move the discussion of random UDP source ports (including firewall configuration advice) to the Configuring /etc/named.conf section, which will make more sense. The FAQ entry could be retained, but should simply link to Configuring /etc/named.conf. I will do that tomorrow and verify again. Thanks once more for the explanation Tomas.
Comment 13 RHEL Product and Program Management 2010-08-09 14:51:08 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 15 Martin Prpič 2011-06-02 05:46:39 EDT
Tomas, I've modified the text according to your last feedback (comment #9). If the text is good I will move it to the "Configuring /etc/named.conf" section and link to it from the "Common Mistakes to Avoid" section as per comment #11.

Thanks!

<SNIP>
Warning: Avoid Using Fixed UDP Source Ports
Recent research in DNS security has shown that using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to more easily conduct cache-poisoning attacks. Due to this security threat, Red Hat issued a security update[1] for all versions of Red Hat Enterprise Linux which updated the default sample caching-nameserver configuration files so that they do not specify a fixed query-source port, thus causing the BIND nameserver to use a new, randomly-selected source port for each DNS query by default. This method had previously only been used during named service startup. Note that the random selection of source ports may still be disabled if a static source port is configured.
DNS resolving is at risk whenever named is configured to use a static UDP source port and a firewall is configured to block connections from the named daemon. To avoid this risk, we recommend configuring your firewall to allow queries from a random UDP source port, that is, your firewall must be configured in a way that does not block any communication.
BIND administrators with existing configurations who wish to take advantage of randomized UDP source ports should check their configuration files to ensure that they have not specified fixed query-source ports. 
</SNIP>
Comment 16 Tomas Hoger 2011-06-02 10:37:37 EDT
Reading description in comment #15, I believe this part of my comment #11 is still valid: "IMO, this text should emphasize on the fact that RHSA introduced per-query random source port".

I gave this a try now that some of the info is no longer as recent as it was back than.  Here's what I came up with.

DNS resolvers that are not configured to perform DNSSEC validation or that need to query DNS zones that are not protected by DNSSEC only use 16-bit transaction identifier (TXID) and the destination UDP port number to check whether the DNS reply was sent by the server they queried for DNS data.

Previously, BIND always used a fixed UDP source port when sending DNS queries. It used either port configured using query-source (and query-source-v6) directive, or one randomly chosen at startup. When static query source port is used, TXID offers insufficient protection against spoofed replies and allows attacker to perform cache-poisoning attacks efficiently. To address this problem, BIND was updated to allow using randomly-selected source port for each DNS query, which makes it more difficult for an attacker to spoof replies, if they can not see query packets. A security update [1] was released for all affected Red Hat Enterprise Linux versions. Additionally, the default configuration provided by the caching-nameserver package was updated to no longer specify fixed query source port.

When deploying BIND as a DNS resolver, ensure that you do not force BIND to use fixed query source port by the use of the aforementioned configuration directives. Your firewall configuration must also permit the use of random query source ports. Previously, it was common practice to configure BIND to use port 53 as a query source port, and only allow DNS queries from that port on the firewall.

Note You need to log in before you can comment on or make changes to this bug.